Reporting

How to achieve day histogram in 20 minute interval?

Ste
Engager

The code below does create a table/ scatter plot showing the warnings per hour of day. 

All warnings between 00:00 and 00:59 will be counted/ listed in date_hour 0, warnings from 01:00 until 01:59 will be counted in date_hour 1, ....

If the time range is set across multiple days I still have the date_hours 0...23 all the warnings will be added independent of the date.

 

index="..." sourcetype="..." 
| strcat opc "_" frame_num "_" elem_id uniqueID
| search status_1="DRW 1*"
| stats count as warning by date_hour, uniqueID
| table uniqueID date_hour warning

 

For the kind of evaluation we're doing we would need to have shorter counting intervals than the one given by date_hour, e.g. 20 minutes.

The question is: how to update the code to get counting intervals smaller than one hour???

Below I managed to reduce the time interval to 20 minutes.  

 

index="..." sourcetype="..." 
| strcat opc "_" frame_num "_" elem_id uniqueID
| search status_1="DRW 1*"
| bin _time span=20m as interval
| stats count as warning by interval, uniqueID
| table uniqueID interval warning

 

 But: the date is still in there so I have a 20 min counting interval one day after the other. And the interval string is no more human readyble in the table. 

Any help is appreciated.

Labels (1)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust
index="..." sourcetype="..." 
| strcat opc "_" frame_num "_" elem_id uniqueID
| search status_1="DRW 1*"
| bin _time span=20m as interval
| eval interval = strftime(interval,"%H:%M")
| stats count as warning by interval, uniqueID
| table uniqueID interval warning

View solution in original post

0 Karma

Ste
Engager

Most probably I got it:

index="..." sourcetype="..." 
| strcat opc "_" frame_num "_" elem_id uniqueID
| search status_1="DRW 1*"
| bin _time span=20m as interval
| eval interval = strftime(interval,"%H.%M")
| stats count as warning by interval, uniqueID
| table uniqueID interval warning

 

Changing the format string from "%H:%M"  to "%H.%M" seems to do the trick

0 Karma

Ste
Engager

@ITWhisperer Thank you, that was fast. 

I do get now a proper table with exactly the data I was looking for. 

But if I try to display this table as a scatter plot via Visualization I got a strange plot:

scatter.jpg

It looks like the scatter plot can not handle the interval information.  

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
index="..." sourcetype="..." 
| strcat opc "_" frame_num "_" elem_id uniqueID
| search status_1="DRW 1*"
| bin _time span=20m as interval
``` scatter plot will need a numeric ```
| eval interval = tonumber(strftime(interval,"%H%M"))
| stats count as warning by interval, uniqueID
| table uniqueID interval warning
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
index="..." sourcetype="..." 
| strcat opc "_" frame_num "_" elem_id uniqueID
| search status_1="DRW 1*"
| bin _time span=20m as interval
| eval interval = strftime(interval,"%H:%M")
| stats count as warning by interval, uniqueID
| table uniqueID interval warning
0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...